Follow Us:

ISO 27017

Home ISO 38507

Quick Contact

    Need Help?

    Please Feel Free To Contact Us. We Will Get Back To You With 1-2 Business Days.

    info@cybersecuritycentre.com.au

    ISO/IEC 38507:2022 (Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)

    • Standard reference: ISO/IEC 38507:2022
    • Full title: Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations
    • Edition / publication date: Edition 1, published April 2022 (2022-04)
    • What it is: An International Standard that provides guidance (not a technical build spec) for governing the use of AI within an organisation.
    • Primary purpose: Helps members of the governing body (board/trustees/equivalent) enable and govern AI use so it is effective, efficient, and acceptable.
    • Who it’s for: Primarily the governing body, and also executive managers, public authorities/policymakers, service providers/consultants, and assessors/auditors.
    • Applicability: Applies to any organisation, public or private, any size, for governance of current and future AI uses and their implications for the organisation.
    • Document length: ISO listing shows 28 pages.
    • Australian adoption: AS ISO/IEC 38507:2022 identically adopts the ISO/IEC standard; published 14 Oct 2022, 27 pages, with sections covering governance/accountability implications, AI overview, and policies (oversight, decision-making, data use, compliance, risk).
    • How it’s commonly positioned with other standards: ISO itself markets it alongside ISO/IEC 42001:2023 and ISO/IEC 27001:2022 as a complementary set (board-level AI governance + AI management system + information security management).

    The prerequisites required by the Cyber Security Centre include an up to date (within 3 months) ISO 27001 certification or surveillance. This forms a foundation component for successful attestation.

    CSC - Color Set ORG 000

    .

    What is ISO/IEC 38507?

    A governance guidance standard for the use of Artificial Intelligence (AI) based on ISO/IEC 38507:2022 (Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations).

    Aligned to the ISO/IEC 38500 “Governance of IT” principles, ISO/IEC 38507:2022 is written for governing bodies (boards, trustees, and equivalent) and executive leaders to help them evaluate, direct, and monitor AI use so it remains effective, efficient, and acceptable within the organization. It focuses on governance accountability and decision rights—not technical model design—so AI adoption is treated as a strategic, risk-managed business capability.

    The standard provides practical governance guidance across the AI lifecycle and the organizational conditions that shape AI outcomes. It addresses key governance considerations such as:

    • Board-level accountability and oversight for AI outcomes (including escalation pathways and decision authority)
    • Governing AI-enabled decision-making (human oversight, contestability, and transparency expectations)
    • Governing data use for AI (data quality, provenance, permitted use, and protection of sensitive information)
    • Culture and values (ensuring AI use aligns with organizational values and stakeholder expectations)
    • Compliance obligations (legal, regulatory, and contractual considerations relevant to AI use)
    • Risk management and assurance (identifying AI-specific risks such as bias, misuse, drift, and third-party dependency, and ensuring monitoring and review)

    If your organization is already using AI (including automation and decision support) or is considering adoption, Cyber Security Centre’s ISO/IEC 38507:2022 overview can help you translate the standard into board-ready governance artefacts—such as AI policy positions, decision and accountability models, risk registers, and evidence-based oversight routines—appropriate to your operating environment and risk appetite.

    How will organizations benefit from ISO 38507 Attestation?

    • Inspires trust – provides customers, regulators, and stakeholders with greater confidence that AI is governed responsibly and transparently.
    • Improves decision quality – strengthens executive and board oversight of AI-enabled decisions, reducing unmanaged automation risk.
    • Protects your brand reputation – reduces the likelihood and impact of harmful AI outcomes (e.g., biased decisions, inappropriate use, or poorly governed deployments).
    • Supports compliance – helps structure governance to meet evolving legal, regulatory, and contractual expectations for AI use.
    • Enables safe innovation – provides a clear governance foundation so teams can adopt AI faster while maintaining accountability, control, and assurance.

    Who ISO/IEC 38507 is for?

    ISO/IEC 38507:2022 is particularly valuable because it focuses on governing-body accountability for AI use and clarifies what “good governance” looks like when decisions, processes, and services become partially automated. Directors, executives, risk owners, legal/compliance leaders, and technology teams can reduce organisational risk by defining decision rights, required levels of human oversight, and governance expectations for AI suppliers and internal teams—supporting more consistent, defensible AI adoption across the organisation.

    How Cyber Security Centre can help

    As a cyber security research organization, Cyber Security Centre provides evidence-based insight across a broad range of cyber and technology risk topics, including AI governance and assurance. Our professional staff hold postgraduate qualifications (Master’s & PhD) research, enabling us to deliver informed, practical guidance grounded in current research and industry practice